-
Notifications
You must be signed in to change notification settings - Fork 6
/
test_setup.tendrl_httpd_ssl_qeca.yml
38 lines (35 loc) · 1.39 KB
/
test_setup.tendrl_httpd_ssl_qeca.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
---
# ===============================================================
# Setup of HTTPS for Tendrl UI, API and Grafana using QE SSL CA
# ===============================================================
#
# This is real world use case which doesn't use self signed SSL certs, but
# instead it:
#
# * generates new SSL certificate for httpd on Tendrl server
# * sings this new cert with QE SSL CA
# * SSL key and cert for http is different from SSL key and cert used for
# etcd client server auth (but it's signed by the same QE SSL CA)
#
# Browsers and clients of QE team have this QE CA imported, so that there
# should be no warning about unknown SSL certificate, and accessing Tendrl
# via https should just work.
- hosts: usm_server
remote_user: root
vars:
tendrl_ssl_cert_name: "tendrl-grafana-http"
roles:
- role: qe-ssl-cert
ssl_cert_name: "{{ tendrl_ssl_cert_name }}"
ssl_owner: "apache"
ssl_group: "apache"
- role: tendrl-httpd-ssl
httpd_ssl_certificate_key_file: "/etc/pki/tls/private/{{ tendrl_ssl_cert_name }}.key"
httpd_ssl_certificate_file: "/etc/pki/tls/certs/{{ tendrl_ssl_cert_name }}.crt"
# For client machine to be able to communicate with Tendrl over https without
# any problems, QE CA cert file (which signed the just deployed Tendrl httpd
# cert) is imported on the client.
- hosts: usm_client
remote_user: root
roles:
- role: qe-ssl-ca